The life of a Forensic Analyst is one of the most fascinating and quickly evolving throughout the cyber security world. Unlike Pentesters, who proactively test for vulnerabilities with the intent of preventing a breach, Forensic Analysts are the ones called in to clean it up. Those who work in forensics are the boots on the ground when it comes to discovering and stopping cyber criminals. In other words, they do the dirty work so you don’t have to.

Ali Sawyer has been working with LMG Security since 2014. She graduated from Columbia University in New York City and is a valued member of LMG’s Forensic Team as a Security Consultant and Digital Forensic Analyst. She has worked on a wide array of cases from phishing exploits to ransomware, as well as developed content for Black Hat.


How would you describe forensics to someone who didn’t know what it was?

Forensics is basically like trying to solve a digital mystery. Our job is to piece together the events that occurred on a computer or network following an incident by analyzing digital artifacts left as a result of those events. An incident can be a cyberattack, criminal activity, or a suspected violation of an organization’s acceptable use policy. The evidence we analyze includes computer hard drives, logs, and other devices like cell phones. Our goal is to answer questions like when the incident occurred, which systems were impacted, and whether any sensitive data was exposed or stolen.


What made you want to work in forensics?

I like that we get to set out and discover new information, and try to make sense of a situation that was not fully understood at the time we got involved. It’s a really exciting and dynamic field because the threats and the digital artifacts we work with are constantly changing. We are constantly learning new techniques to stay on top of our game.


What’s the most interesting case you’ve been apart of?

That would have to be a case where hackers gained access to our client’s systems by exploiting a vulnerability in their vendor’s software. The hackers encoded their payload and stashed it in the computer’s registry, and we were able to reconstruct it and see exactly what it was: a cryptocurrency miner. It’s an illustration of the fact that you can be doing everything right, but you can still be impacted by a security incident that occurs through a third party.


What’s something people might not know you can retrieve via digital forensics?

One that kind of creeps me out is that computers store not only the things you’ve googled recently, but also the data you enter into forms in your web browser. Computers also store the networks they have connected to recently, which can give an idea of physical location.


What is the most important skill a forensic analyst needs to have?

Persistence and creativity. There are a lot of variables affecting each case, so analysts need to have a few tricks up their sleeve in case their initial approach doesn’t yield results. The field is very young, so we are constantly developing new techniques to get after the answers we’re looking for.


What’s the number one thing a client can do to prevent themselves from a breach?

If I must pick just one, I would say enable two-factor authentication on all cloud accounts. We see these accounts getting hacked all the time by criminals who have stolen or guessed the password. 2FA dramatically reduces this risk and is easy to use.


What trends are you seeing in forensics currently?

We are still seeing a lot of ransomware cases, which has been a major trend for a few years now. We’re also seeing a lot of cases involving hacked email accounts and cryptojacking, where a criminal uses a client’s computing resources to mine cryptocurrency.


If I deleted a text message off my phone, could you still retrieve it?

Most likely, yes!


What’s the craziest thing a client has asked you to try and retrieve?

This was not something a client asked for, but one of the craziest things we have retrieved is a photo found by my colleague, Shane Hanson, of a fake driver’s license made with data stolen from our client’s server. There was also a photo of the criminal, presumably, holding a credit card with the same name on it. It appears that these documents were used to meet the identity verification requirements of a cryptocurrency exchange, because the criminal was mining cryptocurrency on our client’s server.


Any side projects your working on?

Helping develop LMG’s brand-new Data Breaches course, which will debut at Black Hat USA in August!


Ali was interviewed by Stevie Freund, LMG’s Forensics Project Coordinator.


Thank you for reading and don’t hesitate to reach out with any questions to [email protected]